SecuriTricks - Attack Report

Description

In June 2024, eSentire's Threat Response Unit observed several incidents involving users downloading the ScreenConnect remote access client, potentially facilitated through drive-by downloads. Threat actors exploited ScreenConnect to establish unauthorized remote sessions, ultimately deploying the AsyncRAT trojan. The malicious scripts executed exhibited techniques like delaying tactics and conditional execution to evade detection by security software.

External References

https://github.com/esThreatIntelligence/iocs/blob/main/ScreenConnect/ScreenConnect_AsyncRAT_6-24-2024.txt

https://www.esentire.com/blog/exploring-the-infection-chain-screenconnects-link-to-asyncrat-deployment

https://otx.alienvault.com/pulse/668807c860b915f2f6980755

Date

Created: July 5, 2024, 2:48 p.m.
Published: July 5, 2024, 2:48 p.m.
Modified: July 5, 2024, 4:20 p.m.

Indicators

fd0d3c38d2bbb517a8e74d8879b73ba57a3832a450abbe826803ceef5726a14a
f6e41c3092c5e1167d95330a2a482f695598c31ad79963c59b07ab79dbfb87f7
fa55401d78f8eabf5dff1b903a9f072b8324851286f67c0aca5b3af931bb4877
fb5aac98c73fa13b244d763b495701ab2eb44815dbd0019531fe081536ef9b9a
f3abb0cc802f3d7b95fc8762b94bdcb13bf39634c40c357301c4aa1d67a256fb
f42c7da665f73fdf6e86f1ebf1054af265541f534912599d27b6dc671e9c8375
ea28712cd43fbad5b018a6d19594a5b8a6770965a0221c19f1fb8ebf459d2b31
e5d37c781676a67bacc070088dd8d14f70bf74827c3d788eb9602884c38b7c19
e597fd01bd50700473316d7bcbfe0f6b43d10842d45eb8598bd35438831ae897
e535a00f01748954152e16a28ac1dabeb056d097f4e98aa59f07b9a6f0e9434e
e522531d2cd8fca257452945e0c00a1a04a2d132cef848aef41a1a2e1ef2d8b4
e3ad352e1c9a3a1842c17262d626bb95f9ec3b199cacd4a8011e954a1473843f
e0df0ad47456b7d8a0c34645a7c9990e99ff6fe5d0c96ca55a406b34d5ae91a4
df2e7c2aabe2f6889589aef8f6e8c604207aff07f121f9e6d82a309f1cfd3079
d9c038ec71396e395fbd88b384e3335f3afb94bdf2371fb0713bfe963f342185
d38bbb755ba411e2457833b700e4d3fe4d19acf03feb8f59ac29f804b8a2e938
ce87ff0b32de840a2499d82260bdc83805ce24b9373e190314e5639b0dd034b3
c30702ce7c9931b5a9525a2fef0018ad9a4b314668b72339a4914b0f1783ce9e
b96bd9decf14957fcb03ff4ad753735d00164da2d02ff694607c643531b626cd
b4e71358c183707b27361219af2146f7b72042f56cec7ed8f917795a76b2296f
b31c484cabd6030c919fe519a7697736485f0004c79dbd081c9fb236fc18503f
af962298ee5c9fb41cf82d00dc919bfd6e514bd6aca71ae4d674b259eee0fc7c
abc884a816b3c414ff9d15c1152cf5e5c2d3e670ee6dcee3d052d08056f3ac74
a4e2bbb403f5bcf7709456d412716323022039b87a79c4fe1f8c726269ca236d
ab6979ed8daf3875cda868be8c794035567920f980d491b647efcc922e6375b7
a0cdda26ad1452391df07f904ca5784345b2199308664cf613b09c6f1e24af17
9ae6bea13bbe186dde5a380c94d309c56aba8c055b0f540eadf9c988b914b729
9e7c5a22db466c5c093d9eb91b79fa0c17f4491667aac585b7b8d60a5b0976a0
98f219e6becd0f0501256146bd7bfc6d2f0ce28003c048c821fcb7501686ee38
9243236bd249560e2a626171fe17771656d02418efa6b6ac3c3823c6c747e6a8
95692e64e52f38f3285fc1a071691551aa14d01e4c5867a4c34b60e003d0da61
8ab5db97785ca6fe0213e779b4a3960712bf9202dcfe4ab6ce0add5a2531d862
7ccab1d1207272966907184d73c655a0035451f9bc7f4d602e069312ac819244
717c083156d07b631e42e3d9f4d175c59d206f7b3b04add1f761b43fbdf41cee
784b8907059b57709fbcfc8e4a97d914a181a8d6f955202ce4815abeac85f033
6f1905e804200c694582758c63244fd966e807eeee443bd0d40bebd5072045a5
6bfea924734c7ccdf2822729d72d78a5174011768de0cd2576643e99832f8452
6ed34a18930c558f946a17f2d0de649413b7441c96458b762ea588d185df797c
6a6226eb265a361098bb8fc947448f831ee9549a84208033045e2cbdc3b0ba34
62d76b7498756fcbc87629cb0fa001e8e1272883e434054a5356901ac2699aec
6513878c1be24fe2f041008a51754071fa90fd48fd9de65290a6d01fdcd7efa6
5f27802fabf7e1921c04359bfa48cfc96c18514d3f7a32a39fc80566e2e18008
5eb2ebe9104e6ef814851ccfb6493408a3f02fa7b2a0d06da4e7b678f1f93833
5d45100f7f80903ea2031dbd4c546bee6c12a8a98d6f27ac5d741a8886c81b83
5aed97c59a0286107312dab7982983d4bf638eb1a999ac86c1056114fd4f12e0
597a55ac25fc4ca4d5fcba33bbd88f3b1fc47ace41e89daf394f76b0841d0979
59dea613bbff003ad139da01c6243f3d8f6cd31f09c192b38c8beb0c6ade8acc
579daf4b58d3f1b9903dad053ccdbbf05f445cb70339996ce90f477958035e68
568be120305376a9b9d9dfaacccdaf8788883b5c544a330294d4671c57796f6d
55b588463e9af8c4e4d2dbbe608f6e47e8987a2c32b5aa69c6a19ddc3fc25a4c
533ffd45167d8029a62cd54986bbf933199676dc731898083f1287f8fe65451a
526abb1dd44dad419d000482a5f92cfc4d290673aa8dc7c60ca2017a4fb5de88
50450ca18d815947ba511ba18d18261c6206254891b25734824caa68a602c4d0
47bc65e3d83d26b419535d9ecd9c14ea2a66554eca0222b30356105abcd62ed0
3f43b6029cb0c42b95c9205356746ce72db43ed82163f6b176a6f280b2eae98b
3d3f9a8fdc25492e1f797d7ea40c0afdef8aafb65c3d7248d3d76f4817fb66d4
32ccda7747cd105f270caee6494a453b4a6614f332f5c23193d8ad8fcb9ed939
3285c76f50ce1bd5985e3201a7e85695bd94fc595fc3da70b71f7d87fc4f69c2
31a81bddfce4cf7cc065e451c9445372a55854dffca0fc520ae81f9bfa4f22a0
2e370ce4d05ab6154489ba3a9ed75e7a6890c5b5b7974a687f928683a5bda221
2da256191573d99e7c36606c6748ea84d8665cc2f8000bd0d2fadbd66ab3004a
2ac4277b12a5091ff5e041989d932cff2b0b69a1d31a7de6d74984d5fd725641
279241ff7fd78e4152b35cd2f1e673994e7b2a02ded4edd31ef152f95d9bc969
249edf69d999163b1dbc9923ff2c8a5903757ffc9b027461f03047b171afe1d1
236c5323d8aeb74d97f0bd5d54d8c774d07ff26f6befbc7f155b5349d0ba604a
22ccc6e138ff12b9c7738caf64c25bdf00b478b1b2e523daf25be3fca196f984
1c31231b53b0baa178c93c26bec5039237329e9f814b61954a475d6052528c43
0294ac2898d8db407f961eed90af5f63f074f7c37c5f803b707b56b81740a4b6
8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb

36.75.75.75
138.112.25.25
123.181.24.36
1.13.16.45
71.162.181.51

uipwbmldpswkgwle.site
lomklauekabjikaiwoge.com
aviranpreschool.com

Download all indicators here!

Exploring the Infection Chain: ScreenConnect's Link to AsyncRAT Deployment

Description

External References

Tags

Date

Indicators

Attack Patterns

Exploring the Infection Chain: ScreenConnect's Link to AsyncRAT Deployment

Description

External References

Tags

Date

Indicators

Attack Patterns

Share